fix(sessions): retire stale direct DM rows after dmScope changes

[BunsDev]

Summary

• Adds openclaw sessions cleanup --fix-dm-scope to detect stale direct-DM session rows after session.dmScope is returned to main.
• Shows those rows in cleanup dry-runs as retire-dm-scope, removes them only when the operator applies cleanup, and archives their transcript files as .deleted.* instead of silently dropping history.
• Threads the option through the CLI, Gateway sessions.cleanup RPC, protocol schema, generated Swift mirrors, docs, and changelog.

Fixes #47561.
Fixes #45554.

Behavior

When session.dmScope is main, the cleanup repair targets old direct-message session key shapes such as:

• agent:<agent>:direct:<peer>
• agent:<agent>:<channel>:direct:<peer>
• agent:<agent>:<channel>:<account>:direct:<peer>

It skips the active key and does nothing unless --fix-dm-scope is explicitly set. Dry-run mode reports the planned rows without mutating the store.

Triage Notes

• Bug: /new session can be stranded by routing-mode changes and resume an older session #47561 is the same dmScope/session-identity lifecycle class as [Bug]: switching session.dmScope back to main does not reconcile stale peer-keyed direct DM sessions #45554: route resolution moves back to the main session, but old peer-keyed direct rows can continue to confuse or strand recovery after /new.
• PRtags duplicate write/search was unavailable during maintainer triage with a request failed (502) response, so this PR records the duplicate relationship in the body and closes both issues through the fix.
• [Bug]: Control UI typed /new no longer fires command:new hooks after 37aebf612b — session-memory and custom hooks broken #76957 is not duplicated here; it already has the open focused fix PR fix(sessions): gate command:new hook emission on emitCommandHooks param in sessions.create (#76957) #77376.

Verification

• pnpm test src/config/sessions/store.pruning.integration.test.ts src/commands/sessions-cleanup.test.ts src/cli/program/register.status-health-sessions.test.ts src/gateway/server.sessions.store-rpc.test.ts
• pnpm exec oxlint src/config/sessions/cleanup-service.ts src/commands/sessions-cleanup.ts src/cli/program/register.status-health-sessions.ts src/gateway/protocol/schema/sessions.ts src/gateway/server-methods/sessions.ts src/config/sessions/store.pruning.integration.test.ts src/commands/sessions-cleanup.test.ts src/cli/program/register.status-health-sessions.test.ts
• pnpm exec oxfmt --check --threads=1 CHANGELOG.md docs/cli/sessions.md docs/concepts/session.md src/config/sessions/cleanup-service.ts src/commands/sessions-cleanup.ts src/cli/program/register.status-health-sessions.ts src/gateway/protocol/schema/sessions.ts src/gateway/server-methods/sessions.ts src/config/sessions/store.pruning.integration.test.ts src/commands/sessions-cleanup.test.ts src/cli/program/register.status-health-sessions.test.ts
• git diff --check
• pnpm protocol:check
• pnpm changed:lanes --json

Security

No new network access, credential handling, process execution, dependency, or permission surface. The repair is explicit operator-invoked cleanup of local session-store rows and preserves transcript history by archiving removed row transcripts.

[clawsweeper]

Codex review: needs changes before merge.

Summary
The PR adds openclaw sessions cleanup --fix-dm-scope and a Gateway RPC parameter to retire stale direct-DM rows after session.dmScope returns to main, archive transcripts, and update protocol mirrors, docs, changelog, and tests.

Reproducibility: yes. as a source-level reproduction for the PR regression: current main can route a binding-owned DM to agent:main:<channel>:<account>:direct:<peer> under global session.dmScope: "main", and the PR predicate would retire that shape. I did not run a live cleanup command in this read-only review.

Real behavior proof
Not applicable: Not applicable because this is a maintainer/member PR; the body lists targeted repository checks, but the external-contributor real behavior proof gate does not apply.

Next step before merge
A narrow repair can make the PR's dmScope cleanup preserve valid route-binding session keys and add regression coverage.

Security
Cleared: The diff adds local session-store cleanup, protocol/docs/tests, and generated Swift mirrors without new dependency, network, credential, CI, or permission surface.

Review findings

• [P2] Preserve binding-scoped direct DM sessions — src/config/sessions/cleanup-service.ts:129-144

Review details

Best possible solution:

Keep the explicit dry-runnable cleanup flow, but make stale direct-row detection binding-aware so it only retires rows that current routing configuration cannot still own.

Do we have a high-confidence way to reproduce the issue?

Yes, as a source-level reproduction for the PR regression: current main can route a binding-owned DM to agent:main:<channel>:<account>:direct:<peer> under global session.dmScope: "main", and the PR predicate would retire that shape. I did not run a live cleanup command in this read-only review.

Is this the best way to solve the issue?

No, not yet. The explicit cleanup/archive approach is a good direction, but the proposed stale-key test must honor route-binding dmScope overrides before it is safe to merge.

Full review comments:

• [P2] Preserve binding-scoped direct DM sessions — src/config/sessions/cleanup-service.ts:129-144
  Current routing allows session.dmScope: "main" with bindings[].session.dmScope: "per-account-channel-peer", which intentionally produces keys like agent:main:discord:default:direct:<peer>. This predicate only checks the global session setting, so applying --fix-dm-scope would classify a still-valid binding-owned row as stale, delete it from sessions.json, and archive the transcript. Please make this repair binding-aware, or conservatively skip these shapes when a non-main route binding can own them.
  Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.88

Acceptance criteria:

• pnpm test src/config/sessions/store.pruning.integration.test.ts src/routing/resolve-route.test.ts src/commands/sessions-cleanup.test.ts src/cli/program/register.status-health-sessions.test.ts src/gateway/server.sessions.store-rpc.test.ts
• pnpm exec oxlint src/config/sessions/cleanup-service.ts src/config/sessions/store.pruning.integration.test.ts src/commands/sessions-cleanup.ts src/cli/program/register.status-health-sessions.ts src/gateway/protocol/schema/sessions.ts src/gateway/server-methods/sessions.ts
• pnpm exec oxfmt --check --threads=1 src/config/sessions/cleanup-service.ts src/config/sessions/store.pruning.integration.test.ts docs/cli/sessions.md docs/concepts/session.md CHANGELOG.md
• pnpm protocol:check

What I checked:

• PR stale-key predicate: The PR classifies any agent:<agent>:direct:<peer>, agent:<agent>:<channel>:direct:<peer>, or agent:<agent>:<channel>:<account>:direct:<peer> row as stale whenever global session.dmScope is main. (src/config/sessions/cleanup-service.ts:123, 9583e2890a3c)
• Current route-binding contract: Current main supports bindings[].session.dmScope overrides; a selected direct peer can intentionally resolve to agent:main:discord:default:direct:<peer> while global session.dmScope remains main. (src/routing/resolve-route.test.ts:141, 58c706451e1d)
• Routing implementation: resolveAgentRoute uses the binding session override before building the session key, so binding-scoped direct keys are not necessarily stale under a global main DM scope. (src/routing/resolve-route.ts:623, 58c706451e1d)
• Existing cleanup gap: Current main has fixMissing, stale pruning, capping, and disk-budget cleanup, but no dmScope-specific stale direct-row repair mode. (src/config/sessions/cleanup-service.ts:38, 58c706451e1d)
• Related reports: The PR body uses closing syntax for [Bug]: switching session.dmScope back to main does not reconcile stale peer-keyed direct DM sessions #45554 and Bug: /new session can be stranded by routing-mode changes and resume an older session #47561, and explicitly leaves the separate Control UI /new hook regression to fix(sessions): gate command:new hook emission on emitCommandHooks param in sessions.create (#76957) #77376/[Bug]: Control UI typed /new no longer fires command:new hooks after 37aebf612b — session-memory and custom hooks broken #76957. (9583e2890a3c)

Likely related people:

• Peter Steinberger: Current-main blame for the route key builder, route-binding coverage, and cleanup service points at the recent session/routing refactor snapshot, and the same area is central to the PR regression. (role: recent maintainer; confidence: medium; commits: 7188e4f4ad87, ecbf9f06e933; files: src/routing/session-key.ts, src/routing/resolve-route.test.ts, src/config/sessions/cleanup-service.ts)
• SidQin-cyber: Local history identifies the existing --fix-missing sessions cleanup path as the closest repair-mode pattern extended by this PR. (role: adjacent cleanup feature author; confidence: medium; commits: 71e45ceecced; files: src/config/sessions/cleanup-service.ts, src/commands/sessions-cleanup.ts, docs/cli/sessions.md)
• gumadeiras: Related PR Session/Cron maintenance hardening and cleanup UX #24753 introduced the broader session maintenance and openclaw sessions cleanup UX that this PR extends. (role: original cleanup/maintenance contributor; confidence: medium; commits: eff3c5c70778; files: src/config/sessions/store.ts, src/commands/sessions-cleanup.ts, docs/cli/sessions.md)

Remaining risk / open question:

• The PR's reported validation commands were not run because this was a read-only review.
• The safest implementation needs to preserve currently reachable binding-scoped direct keys without weakening cleanup for truly stale historical dmScope rows.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 58c706451e1d.